Accueil > Réseau > Standard Process for Restoring IPtables at Boot?

Standard Process for Restoring IPtables at Boot?

07/07/2023 Categories: Réseau Tags: ,
Print Friendly, PDF & Email

Source: Ubuntu Tutorials

I got to thinking about something the other day when I rebuilt my webserver using Debian 5.0. How does Debian/Ubuntu standardize on reloading the iptables rules at boot time?

I know that Red Hat and its variants use the /etc/sysconfig/iptables file as a save and restore point, and there is an init script, iptables, that starts at boot prior to the network script, but is there a similar standard on Debian/Ubuntu?

The solution I’ve come up with (and I’m very curious to hear what others have done) is the following:

First, I manually enter my base iptables rules…

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-unreachable
...etc, etc.

*(ip addresses have been scrambled to protect their identity)

I then run:

iptables-save > /etc/default/iptables

From this point forward I manually update my ruleset by editing the file directly with a text editor.

To reload these rules at boot-time I have added a line to my /etc/network/interfaces configuration as follows:

auto eth0
iface eth0 inet static
address foo
netmask bar
gateway baz
dns-search domain.tld
dns-nameservers foo
pre-up iptables-restore < /etc/default/iptables

That last line tells the machine that, before you activate these network settings, run iptables-restore and read from the file /etc/default/iptables.  This seems to work well enough so far, but I’m still curious what others have done.  Do you simply write an init script on your own and maintain the ruleset within that file?  Do you use a file similar to what I’ve done, but source it via an init script?  I’m curious, as there does not seem to be a standard that I’m aware of.

Lire aussi:  Communication Networks/IP Tables
Categories: Réseau Tags: ,
Les commentaires sont fermés.